← Back to Explore
sigmamediumHunting
Renamed AutoHotkey.EXE Execution
Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
Detection Query
selection:
- Product|contains: AutoHotkey
- Description|contains: AutoHotkey
- OriginalFileName:
- AutoHotkey.exe
- AutoHotkey.rc
filter:
- Image|endswith:
- \AutoHotkey.exe
- \AutoHotkey32.exe
- \AutoHotkey32_UIA.exe
- \AutoHotkey64.exe
- \AutoHotkey64_UIA.exe
- \AutoHotkeyA32.exe
- \AutoHotkeyA32_UIA.exe
- \AutoHotkeyU32.exe
- \AutoHotkeyU32_UIA.exe
- \AutoHotkeyU64.exe
- \AutoHotkeyU64_UIA.exe
- Image|contains: \AutoHotkey
condition: selection and not filter
Author
Nasreddine Bencherchali
Created
2023-02-07
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasion
Raw Content
title: Renamed AutoHotkey.EXE Execution
id: 0f16d9cf-0616-45c8-8fad-becc11b5a41c
status: test
description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
references:
- https://www.autohotkey.com/download/
- https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
author: Nasreddine Bencherchali
date: 2023-02-07
tags:
- attack.defense-evasion
logsource:
category: process_creation
product: windows
detection:
selection:
- Product|contains: 'AutoHotkey'
- Description|contains: 'AutoHotkey'
- OriginalFileName:
- 'AutoHotkey.exe'
- 'AutoHotkey.rc'
filter:
- Image|endswith:
- '\AutoHotkey.exe'
- '\AutoHotkey32.exe'
- '\AutoHotkey32_UIA.exe'
- '\AutoHotkey64.exe'
- '\AutoHotkey64_UIA.exe'
- '\AutoHotkeyA32.exe'
- '\AutoHotkeyA32_UIA.exe'
- '\AutoHotkeyU32.exe'
- '\AutoHotkeyU32_UIA.exe'
- '\AutoHotkeyU64.exe'
- '\AutoHotkeyU64_UIA.exe'
- Image|contains: '\AutoHotkey'
condition: selection and not filter
falsepositives:
- Unknown
level: medium